EU- Summary of Custody Policy

Last Updated: March 2026

Introduction

Crossmint Europe, S.L. provides crypto-asset custody and administration services in accordance with MiCA. This policy explains, in general terms, how it protects clients’ crypto-assets, how it keeps them separate from its own assets, how it manages the risks linked to the service, and how it acts if an incident arises. It also describes the role of the technology providers that support the service.

1. Description of the policy and custody procedures

1.1. Operational and technological risks

Crossmint identifies, analyses and regularly reviews the risks that may affect its custody service. These include technical failures, outages affecting third-party services, cyber-attacks, cloud security issues, phishing and incidents involving personal data.

Each risk is assessed using two criteria: the likelihood of it happening and the impact it could have. The policy also provides for regular internal reviews and for any significant breaches to be reported to management and, where appropriate, to the relevant authorities.

1.2. Access to clients’ crypto-assets

Crossmint uses cryptographic measures and security standards to protect data and the access keys linked to crypto-assets. For this purpose, it uses distributed signing technology, which avoids having the private key concentrated in one single place.

In simple terms, this means that access to assets and the signing of transactions rely on several security elements, which reduces the risk of theft, loss or misuse. Crossmint also states that it retains its own ability to recover access to the assets even if the technology provider were to stop providing its service.

1.3. How the custody service works

Crossmint offers custodial wallets to store and manage clients’ crypto-assets. Each wallet is kept separate from the others and also from Crossmint’s own assets. Assets belonging to different clients are not pooled or mixed together.

In addition, Crossmint keeps a record of the assets it holds in custody and is able at all times to identify which assets belong to each client. The policy also provides for procedures to return assets when requested by the client and to inform clients in clear language about how the service works.

1.4. Orderly return of crypto-assets or access tools

Crossmint keeps clients’ crypto-assets segregated so that they can be returned in an orderly and efficient manner.

If the loss of a device or system is detected and this may affect access to the crypto-assets, staff must report it immediately. The policy also covers different return or reimbursement scenarios, whether the issue is caused by the client or possible fraud, or by an error on Crossmint’s side. In such cases, internal procedures are in place to process the reimbursement or return as appropriate.

1.5. Risk management and controls

Crossmint applies preventive measures to reduce operational and cyber-security risks. Risks are recorded, classified by severity and managed according to priority.

The company may decide to reduce a risk, accept it, transfer it to a third party, or avoid the activity that creates it. It also has internal compliance, security and risk management staff who oversee these tasks and report to management.

1.6. Exercise of rights linked to crypto-assets

Crossmint provides for clients to exercise the rights attached to the crypto-assets held in custody, provided those rights can be exercised legally and technically.

If changes or new rights arise in relation to a crypto-asset, Crossmint will update its records without undue delay. However, in the case of events such as forks, airdrops or similar events, Crossmint does not guarantee that it will recognise, support or deliver any new assets or rights that may arise.

1.7. Measures to reduce the risk of loss

Crossmint applies various security measures to protect crypto-assets and access tools. These include role-based access restrictions, required approvals for certain transactions, back-up systems, recovery arrangements in the event of an incident, and regular reviews of internal processes.

The policy also provides for controls relating to the onboarding and removal of users, key rotation, freezing suspicious activity and protecting offline recovery systems. The aim is to minimise the risk of loss, unauthorised access or service disruption.

1.8. Replacement of lost assets

If, despite these security measures, assets are lost as a result of a security incident, Crossmint will first try to reissue the asset, where this is possible.

If it cannot be reissued, Crossmint will try to acquire the same asset, or an equivalent one, in order to deliver it to the client. If that is also not possible, it will seek a reasonable solution agreed with the client.

1.9. Liability and compensation

Crossmint is liable to the client where the loss of crypto-assets or access tools results from an incident for which Crossmint is responsible.

In that case, its liability is limited to the market value of the crypto-asset at the time of the loss. Crossmint is not liable for losses arising from events outside its control, such as issues affecting a blockchain network that it does not control.

2. Sub-custody and third-party providers

2.1. Identity and role of third parties

Crossmint states that it does not outsource the custody of crypto-assets itself. In other words, the custody service is provided directly by Crossmint.

However, it does use technology providers to support its infrastructure, such as Fireblocks. According to the policy, these providers do not act as custodians vis-à-vis the client, but rather as technical support within the infrastructure used by Crossmint.

2.2. Oversight of providers

Crossmint carries out a prior review of providers before engaging them and checks matters such as their financial standing, security controls, internal organisation and ability to provide the service reliably.

It also reviews their activity on a regular basis, requires certain contractual protections and adapts contracts to applicable requirements, including operational resilience requirements where the provider supplies relevant ICT services. It also monitors material changes in the services provided and assesses the risks linked to access to data or systems.

2.3. Controls where functions are outsourced

Where third parties are involved in functions related to custody, Crossmint provides for controls to select the provider appropriately, put in place contractual safeguards, maintain the segregation of assets, monitor the service, carry out audits, and ensure business continuity and incident-response plans are in place.

The purpose is to ensure that, even where a provider is involved, clients’ assets continue to receive the same level of protection.

3. Contracts and client information

3.1. Custody agreement

The policy states that there is a custody agreement between Crossmint and its clients governing the service and how it operates. It also provides for a summary of the custody policy to be made available to clients.

3.2. Clear information for clients

Crossmint undertakes to provide information to clients in clear, concise and non-technical language. To do this, it plans to make information available on its website, using a simple structure, frequently asked questions and customer support channels.

It also provides for complaints to be handled through its support channels and for clients to receive certain relevant information, such as periodic statements of their crypto-assets, information on transactions requiring a response and, where applicable, the existence of any right of retention or set-off over the assets.

4. Safeguarding and segregation of clients’ crypto-assets

4.1. When Crossmint has possession of crypto-assets

Crossmint has custody of crypto-assets when they are held in a custodial wallet opened for the client.

This happens, for example, when the client purchases crypto-assets and these are credited to the wallet, or when crypto-assets are received from another wallet. Crossmint ceases to hold those assets in custody when the client orders a transfer and that transfer is executed on the relevant network, whether to send them to another wallet or to convert them into fiat currency.

4.2. Measures to prevent the use of client assets for Crossmint’s own account

Crossmint states that clients’ assets are held in separate wallets and are not used for the company’s own purposes.

In addition, records of assets are maintained, access controls are restricted, strong authentication is used, transaction authorisation systems are in place, and incident-response plans are maintained. All of this is intended to prevent assets from being mixed, accessed improperly or used without authorisation.

4.3. Separation between client wallets and Crossmint’s own wallets

The policy states that clients’ addresses and wallets must be kept separate from those of Crossmint. To achieve this, access controls, multiple approvals, regular reviews and business continuity measures are applied.

The policy also describes internal approval mechanisms and key custody arrangements, together with recovery systems in the event of incidents, in order to preserve the integrity and separation of assets at all times.

4.4. Individual identification of each client’s assets

Crossmint maintains an account and record structure that makes it possible at all times to identify which assets belong to each client and to distinguish them from the company’s own assets.

To strengthen this separation, it uses separate workspaces, different user profiles, approvals for sensitive transactions, recovery procedures and regular security reviews.

5. Safeguarding and segregation of client funds in euros

5.1. Holding of client funds

Crossmint states that it does not hold clients’ fiat funds in custody.

5.2. Deposit of client funds

This point does not apply, precisely because Crossmint does not hold clients’ fiat funds in custody.

5.3. Authorised payment providers

For fiat payments or card payments, Crossmint uses specialist external providers, such as Stripe or Checkout.

5.4. Selection of deposit institutions

This point also does not apply under the policy, since Crossmint does not deposit clients’ fiat funds on their behalf.